Re: Microsoft-IIS/6.0 serves up Debian... WTF!

To: debian-security@lists.debian.org
Subject: Re: Microsoft-IIS/6.0 serves up Debian... WTF!
From: "Jim Popovitch" <yahoo@jimpop.com>
Date: Sun, 8 Jun 2008 20:59:02 -0400
Message-id: <[🔎] 7ff145960806081759p5cffcebayc91aad17d2b81fe6@mail.gmail.com>
In-reply-to: <[🔎] 484C6486.1010709@appelbaum.net>
References: <[🔎] 7ff145960806072229h7522605eqcd6636304dfa2513@mail.gmail.com> <[🔎] 47922.127.0.0.1.1212905124.squirrel@www.bayau.com> <[🔎] a5b8a4fc0806080027h2e348242nfda896faeb5fd28e@mail.gmail.com> <[🔎] 20080608103150.07fba9aa@f1fc> <[🔎] 20080608110207.GC5801@ngolde.de> <[🔎] 7ff145960806081204u7b260c6y143533acc8d959d5@mail.gmail.com> <[🔎] 484C4F91.8080607@ieee.org> <[🔎] 7ff145960806081539r3308fca4w4dbea994f5c756e7@mail.gmail.com> <[🔎] 484C6486.1010709@appelbaum.net>

On Sun, Jun 8, 2008 at 7:00 PM, Jacob Appelbaum <jacob@appelbaum.net> wrote:
> Your thoughts on this subject are really fascinating. Because while I
> agree that the idea of "security by obscurity" as the only line of
> defense is flawed, you're making assumptions and value judgments that
> seem beyond your abilities. I question your security knowledge and
> capabilities.

Yeah, yeah.  Whatever dude.

> [snip, snip]

> Have you found some actual security issue with the mirror? Are the
> packages tampered with? Are the signatures invalid?

No, I haven't found an actual security issue with the mirror.  And I
don't believe in waiting for someone to raise a security issue to
determine the actual security of a system.  Surely you would agree
that there are acceptable minimums.  I do think that it would be
prudent for the Debian Security and Mirror teams to know the specifics
about their mirror ops.  And I say that as former v.d.o mirror op,
where my experience revealed little concern over mirror operators.

The mirror in this instance seems to fall into one of two cases:
   1)  Security by Obscurity plus possible unknown foo.
   2)  Bored opers having fun.

I would think that neither of those cases immediately passes muster
with concerned security minded folks.  And, just because you are OK
with it, it doesn't mean I have to be. ;-)

-Jim P.

Reply to:

Follow-Ups:
- Re: Microsoft-IIS/6.0 serves up Debian... WTF!
  - From: Peter Palfrader <weasel@debian.org>

References:
- Microsoft-IIS/6.0 serves up Debian... WTF!
  - From: "Jim Popovitch" <yahoo@jimpop.com>
- Re: Microsoft-IIS/6.0 serves up Debian... WTF!
  - From: jeffry@bayau.com
- Re: Microsoft-IIS/6.0 serves up Debian... WTF!
  - From: "JD. Brown" <brownstixzz@gmail.com>
- Re: Microsoft-IIS/6.0 serves up Debian... WTF!
  - From: Henri Salo <fgeek@fgeek.fi>
- Re: Microsoft-IIS/6.0 serves up Debian... WTF!
  - From: Nico Golde <debian-security+ml@ngolde.de>
- Re: Microsoft-IIS/6.0 serves up Debian... WTF!
  - From: "Jim Popovitch" <yahoo@jimpop.com>
- Re: Microsoft-IIS/6.0 serves up Debian... WTF!
  - From: Simon Valiquette <v.simon@ieee.org>
- Re: Microsoft-IIS/6.0 serves up Debian... WTF!
  - From: "Jim Popovitch" <yahoo@jimpop.com>
- Re: Microsoft-IIS/6.0 serves up Debian... WTF!
  - From: Jacob Appelbaum <jacob@appelbaum.net>

Prev by Date: Re: Microsoft-IIS/6.0 serves up Debian... WTF!
Next by Date: Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
Previous by thread: Re: Microsoft-IIS/6.0 serves up Debian... WTF!
Next by thread: Re: Microsoft-IIS/6.0 serves up Debian... WTF!
Index(es):
- Date
- Thread